REST doesn't led to "session-ing" and this is very true for other apps as well that to RESTful interactions, not just ODWEK. I have done implementations where, as Alessandro mentioned, you retain the UUID in a cookie and supply that as part of each request.
Another approach that could work with REST is to restrict the access to the endpoints via a List of IP addresses that this service can respond to i.e. internal network subnet address or a range of IP addresses. When a request comes in, the service can verify against the internal list (stored in DB somewhere to allow for changes without code deployment). If the IP address exists allow the request otherwise return a HTTP-403 (forbidden).
Good discussion though and definitely has me tempted to do a prototype against our implementation.